Yeah, providing transparency on supply-chain security for applications either large or small is the main value proposition of konflux. The main feature to look into is our use of in-toto attestations (slsa post, konflux docs) and the way that we use those to gate artifacts with machine-readable policies (conforma, recently renamed). Those attestations and policy verification form the basis of the trust chain that we can then use to trust other aspects of the build process, like the sbom created as a byproduct of offline hermetic builds.
2 Likes